System and method for aggregating and reporting network traffic data

ABSTRACT

A method for analyzing traffic in a communications network includes sampling data packets at a plurality of network interconnection points, wherein sampling the data packets includes generating a plurality of sampled packet data in one or more standardized formats, converting the sampled packet data from the one or more standardized formats into a neutral format, and aggregating the sampled packet data in the neutral format from the plurality of network interconnection points. A system includes a communications node operable to sample data packets flowing through and generate sample packet data in a specified format, a collector node operable to convert the sampled packet data into a neutral format, the collector node further operable to map IP addresses of the sampled packet data to corresponding prefixes in a routing table; and an aggregator node operable to aggregate neutrally formatted sampled packet data from a plurality of collector nodes.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims the benefit of priorityto U.S. nonprovisional application Ser. No. 12/116,354, filed May 7,2008, titled “SYSTEM AND METHOD FOR AGGREGATING AND REPORTING NETWORKTRAFFIC DATA,” which is hereby incorporated by reference herein.Application Ser. No. 12/116,354 claims the benefit of priority to U.S.provisional application No. 60/948,960, filed Jul. 10, 2007, which ishereby incorporated by reference herein.

COPYRIGHT NOTICE

Contained herein is material that is subject to copyright protection.The copyright owner has no objection to the facsimile reproduction ofthe patent disclosure by any person as it appears in the Patent andTrademark Office patent files or records, but otherwise reserves allrights to the copyright whatsoever. Copyright © 2008 Level 3Communications, LLC.

TECHNICAL FIELD

Embodiments of the present invention generally relate to networkcommunications. More specifically, embodiments relate to a system andmethod for aggregating and reporting network traffic data.

BACKGROUND

Network service providers want to understand flow of communicationstraffic and traffic flow changes over the network for purposes ofcapacity planning, marketing and other reasons. For example, it isimportant to know if traffic through a gateway is increasing, in orderto know whether routers should be added to the gateway. It may also behelpful to know whether traffic from a particular customer, such as anInternet service provider (ISP), is increasing or decreasing tounderstand how to provide better service to the ISP. Some tools, such assFlow and Nefflow, are available that attempt to provide informationabout traffic flow by sampling packet data through IP networks.

For example, a Netflow agent running on a router can provide data suchas packet source IP address, destination IP address and port numbers. Inaddition to these, the autonomous system (AS) may be identified by asFlow agent. Because currently available tools gather traffic flowinformation at a packet level, these tools obtain relatively low-levelinformation such as source or destination IP addresses. However, thesetools are unable to provide information such the city or ISP that thepackets are originating from or going to. As such, currently availabletraffic analysis tools are not capable of providing a view of trafficflow or changes in traffic flow as it relates to other business aspectsof the network service provider.

It is with respect to these and other problems that embodiments of thepresent invention have been created.

SUMMARY

Embodiments of systems and methods can use sampled packet data todetermine traffic flow statistics associated with one or moreattributes, such as, but not limited to geographic region, network,community, application, protocol, autonomous system, or customer.Traffic flow statistics can be measures of traffic volume associatedwith an attribute. For example, traffic volume measurements can begenerated that indicate the traffic volume that is inbound to oroutbound from an autonomous system network. As another example, trafficvolume measurements can be generated that reflect the volume of trafficthat is on-net and the volume of traffic that is off-net with respect toa selected network.

An embodiment of a method for analyzing traffic in a communicationsnetwork includes sampling data packets at a plurality of networkinterconnection points, wherein sampling the data packets includesgenerating a plurality of sampled packet data in one or morestandardized formats, converting the sampled packet data from the one ormore standardized formats into a neutral format, and aggregating thesampled packet data in the neutral format from the plurality of networkinterconnection points.

In at least one embodiment of the method the IP prefixes are obtainedfrom a routing table. The method may further include converting thesampled packet data from one or more standardized formats into a neutralformat. Enriching the sampled packet data may include mapping IPaddresses in the sampled packet data to geographic locations. Enrichingthe sampled packet data may include mapping IP addresses in the sampledpacket data to customers. The plurality of standardized formats mayinclude one or more of sFlow format, Netflow format and cflowd format.The geographic locations may include one or more of a city, a country, acontinent or a region.

An embodiment of the method further includes generating one or moretraffic flow reports based on the sampled packet data. The one or morereports may include one or more of a peer distribution report includingone or more of traffic volume measurements of traffic outbound from apeer network or traffic volume measurements of traffic inbound to a peernetwork, a customer distribution report including on or more of trafficvolume measurements of traffic outbound from one or more customernetworks or traffic volume measurements of traffic inbound to one ormore of customer networks, an autonomous system distribution reportincluding average traffic volume, traffic volume by region, on-nettraffic volume, off-net traffic volume, direction of traffic, next hopautonomous systems, and upstream autonomous systems associated with oneor more autonomous systems, an applications report including averagetraffic volume and region to region traffic volume associated withnetwork applications, an on-net distribution report includes trafficvolume measurements of traffic outbound from a peer network that wasalso inbound to the peer network, an off-net distribution reportincludes traffic volume measurements of traffic outbound from a peernetwork that was not also inbound to the peer network, a regiondistribution report including average traffic volume inbound to oroutbound from selected regions, and a city distribution report includingaverage traffic volume from one or more source cities to one or moredestination cities.

In an embodiment of the method enriching the sample packet data includesgenerating one or more sampled packet data summaries at a collector nodeby mapping the sampled packet data to routing table data fromcommunication nodes associated with the collector node. The method mayfurther include communicating the one or more sampled packet datasummaries from the collector nodes to an aggregator node configured toperform the aggregating.

An embodiment of a system includes a communications node operable tosample data packets flowing through and generate sample packet data in aspecified format, a collector node operable to convert the sampledpacket data into a neutral format, the collector node further operableto map IP addresses of the sampled packet data to the network (orprefix) they belong to in a routing table, and an aggregator nodeoperable to aggregate neutrally formatted sampled packet data from aplurality of collector nodes. The IP prefixes may be associated withrespective autonomous systems, and wherein the collector node is furtheroperable to map sampled packet data to associated autonomous systems.The aggregator node may be further operable to generate traffic flowmeasures associated with autonomous systems communicating over thecommunications network.

An embodiment of the system may further include an autonomous system(AS) registry storing information about autonomous systems including ASidentifier and region. The system may further include a customerattributes data store storing customer AS identifiers. The aggregatornode may be further operable to map AS identifiers from the sampledpacket data to regions in the AS registry. Further still, the aggregatornode may be operable to generate traffic flow measurements associatedwith network applications based on the neutrally formatted sampledpacket data. Still further, the aggregator node may be operable togenerate one or more reports relating traffic flow measurements to oneor more of a region, an autonomous system, a community, a networkapplication, or a network protocol. At least one of the one or morereports may include traffic flow measurements for traffic flowing from aselected community to at least one other community.

In at least one embodiment of the system the aggregator is furtheroperable to generate a traffic flow measurement of outbound traffic froma selected AS to each of a plurality of other AS's. The aggregator maybe further operable to generate a traffic flow measurement of outboundtraffic to a selected AS from each of a plurality of other AS's. Furtherstill, the aggregator may be operable to generate a traffic flowmeasurement of on-net traffic and a traffic flow measurement of off-nettraffic for a selected AS.

Another embodiment of a method for analyzing communications trafficthrough a network includes sampling data packets communicated throughthe network, categorizing each data packet according one or morenetwork-related attribute categories, aggregating data packets of eachof the attribute categories, and determining data packet transmissionstatistics associated with each of the one or more attribute categoriesbased on the aggregation. The one or more attribute categories mayinclude one or more of geographic region, network, community,application, protocol, autonomous system, customer, on-net, or off-net.Determining data packet transmission statistics may include determiningdata packet volume transmitted to or from one or more of a geographicregion, a network, a community, an autonomous system, a customer, anon-net provider, or an off-net provider.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an operating environment suitable for practicingtraffic flow data aggregation and reporting in accordance with variousembodiments of the present invention.

FIG. 2 illustrates a network configuration for carrying out traffic flowdata aggregation and reporting in accordance with the embodiment of FIG.1.

FIGS. 3-7 illustrate exemplary reports that can be generated usingembodiments of aggregating and reporting systems shown in FIGS. 1-2.

FIG. 8 is a flowchart illustrating a traffic flow aggregating andreporting algorithm in accordance with an embodiment of the presentinvention.

FIG. 9 illustrates a general purpose computing device upon which one ormore aspects of embodiments of the present invention may be implemented.

While the invention is amenable to various modifications and alternativeforms, specific embodiments have been shown by way of example in thedrawings and are described in detail below. The intention, however, isnot to limit the invention to the particular embodiments described.

DETAILED DESCRIPTION

Embodiments of systems and methods can use sampled packet data todetermine traffic flow statistics associated with one or morenetwork-related attribute categories, such as, but not limited togeographic region, network, community, application, protocol, autonomoussystem, customer, on-net or off-net. Traffic flow statistics can bemeasures of traffic volume associated with an attribute. For example,traffic volume measurements can be generated that indicate the trafficvolume that is inbound to or outbound from an autonomous system network.As another example, traffic volume measurements can be generated thatreflect the volume of traffic that is on-net and the volume of trafficthat is off-net with respect to a selected network.

Some embodiments of the present invention relate to systems and methodsfor aggregating and reporting traffic flow data captured in acommunications network. Various embodiments sample packets of dataflowing through the communications network and derive aggregated trafficflow from the sampled packets. Data in sampled packets are mapped torouting data descriptive of routes in the communications network, thusenriching the sampled packet data. By enriching sampled packet data withrouting data, traffic flow can be derived in relation to relevantattributes, such as autonomous systems, geographical regions, NSPcustomers, NSP noncustomers, peers, on-net or off-net distribution,network applications or protocols. For example, total traffic flowbetween AS's, peers or communities can be determined. Reports caninclude traffic flow statistics in relation to various attributes. Forexample, traffic volume measurements can be used to report trafficvolume between AS's, peers or communities, as well as on-net/off-net,customer and noncustomer distribution, or traffic associated withselected applications or protocols.

A method for analyzing communications traffic through a network includessampling data packets communicated through the network, categorizingeach data packet according one or more network-related attributecategories, aggregating data packets of each of the attributecategories, and determining data packet transmission statisticsassociated with each of the one or more attribute categories based onthe aggregation. The one or more attribute categories may include one ormore of geographic region, network, community, application, protocol,autonomous system, customer, on-net, or off-net. Determining data packettransmission statistics may include determining data packet volumetransmitted to or from one or more of a geographic region, a network, acommunity, an autonomous system, a customer, an on-net provider, or anoff-net provider.

Prior to describing one or more preferred embodiments of the presentinvention, definitions of some terms used throughout the description arepresented.

DEFINITIONS

The term “network service provider” refers to an organization orbusiness that provides network access to one or more customers. An NSPmay operate, for example, a backbone network and/or edge networkscoupled to a plurality of other networks, whereby the other networks cancommunicate with each other and the Internet via the NSP network(s).

The term “customer” refers to an entity that uses services provided byan NSP. For example, the customer may pay the NSP for carrying trafficover the NSP's network.

A “node” is a uniquely addressable functional device on (i.e.,communicatively coupled to) a network. A node may be any type ofcomputer, server, gateway device, or other.

“Traffic”, “communication traffic” or “network traffic” refer to theflow of data or messages in a network.

A “module” is a self-contained functional component. A module may beimplemented in hardware, software, firmware, or any combination thereof.

The terms “connected” or “coupled” and related terms are used in anoperational sense and are not necessarily limited to a direct connectionor coupling.

The phrases “in one embodiment,” “according to one embodiment,” and thelike generally mean the particular feature, structure, or characteristicfollowing the phrase is included in at least one embodiment of thepresent invention, and may be included in more than one embodiment ofthe present invention. Importantly, such phases do not necessarily referto the same embodiment.

If the specification states a component or feature “may”, “can”,“could”, or “might” be included or have a characteristic, thatparticular component or feature is not required to be included or havethe characteristic.

The terms “responsive” and “in response to” includes completely orpartially responsive.

A computer program product can take the form of one or morecomputer-readable media. The term “computer-readable media” is mediathat is accessible by a computer, and can include, without limitation,computer storage media and communications media. Computer storage mediagenerally refers to any type of computer-readable memory, such as, butnot limited to, volatile, non-volatile, removable, or non-removablememory. Communication media refers to a modulated signal carryingcomputer-readable data, such as, without limitation, program modules,instructions, or data structures.

Exemplary System

FIG. 1 illustrates an exemplary operating environment 100 in whichtraffic flow aggregation and reporting may be carried out in accordancewith embodiments of the present invention. The operating environment 100includes a network service provider (NSP) network 102 that operablyinterconnects multiple autonomous systems (AS) 104. The NSP network 102provides communication service between the AS's 104. More specifically,the NSP network 102 supplies network bandwidth and routing functionalityto the AS's 104 to route data packets between endpoints 106 logicallylocated in the AS's 104.

In one embodiment, the NSP network 102 comprises a managed backbonenetwork providing wholesale network service. The NSP could provideservices commonly provided by an ISP. For example, the NSP could provideemail, web site hosting, caching, and content serving. The AS's 104 mayinclude, for example, Internet service providers (ISPs) networks, otherNSP networks, enterprise networks, Regional Bell Operating Companies(RBOC) networks, cable company networks, content distribution networks(CDNs), web sites, and application service provider (ASP) networks. Theendpoints 106 are communications devices used by, for example, privateusers, enterprises, or web sites. One or more of the AS's 104 mayinterconnect with other networks or AS's 108 to facilitate communicationto and from the other networks/AS's 108. The NSP network 102, autonomoussystems 104, and other network/AS's 108 may include any combination ofwireless or wireline networks.

The autonomous systems 104 interconnect with the NSP network 102 atnetwork interconnection points (NIP) 110. A NIP 110 may be, for example,an Internet exchange point (IXP), a network access point (NAP), agateway, a point of presence (POP), a peering point, or a regionalswitching point. Data packets are routed through the NIPs 110 to andfrom autonomous systems 104 via the NSP network 102. The data packetscan pertain to various different applications, such as, but not limitedto, simple mail transport protocol (SMTP) applications (e.g., email),hypertext transport protocol (HTTP) applications, telnet applications,or peer-to-peer (p2p) applications.

In various embodiments, the AS's 104 may be peers of other AS's 104 andthe NSP network 102 and/or the AS's 104 may be customers of the NSF. Forexample, an AS 104 may provide backbone network service like the NSPnetwork 102; or, the AS 104 may be a website or web content host thatsubscribes to backbone service provided by the NSP network 102. SomeAS's 104 may act as both a peer and customer to the NSP network 102.

The NSP network 102 includes numerous communication nodes 112 thatinclude routing or switching functionality, for routing packets throughthe NSP network 102 and to/from one or more AS's 104. For simplicity,only a few communication nodes 112, and only a few AS's 104, are shownin the embodiment of FIG. 1. The communication nodes 112 may be, by wayof example, routers or switches. In order to effectively handlecommunication traffic flowing over the NSP network 102 between AS's 104,it is useful to understand the nature of traffic flow into, out of,and/or through the NSP network 102.

Accordingly, at least some of the communication nodes 112 includesampling agents 114 that sample packets flowing through thecommunication nodes 112. The sampling agents 114 may sample packetsaccording to a sampling standard, such as, but not limited to sFlow,Netflow, or cflowd. Each of these standards yield sample packet data ina specified format that may differ from one standard to another.Generally the sampling agents 114 sample 1 in N packets, where N can beset by the manufacturer or configured by a user (e.g., a networkadministrator). The particular sampling protocol employed in acommunication node 112 may depend upon the make or model of thecommunication node 112. For example, Cisco™ routers typically employNetflow, Juniper™ routers employ cflowd, and Force10™ routers employsFlow.

Typically, the sampling agents 114 generate datagrams or other units ofdata that include specified information obtained from the sampledpackets. The sample packet data 119 generally includes at least thesource IP address, destination IP address, port numbers, and protocolassociated with the sampled packet. Some sampling standards, such assFlow, also obtain autonomous system numbers associated with the sampledpacket. Sampled packet data 119 are sent from the communication nodes112 to collector nodes 116. In addition, each collector node 116 obtainsa routing table 117 from the respective communication node 112. In someembodiments the routing table 117 is sent over a routing feed that isseparate from the sample packed data 119. The collector node 116 usesthe sample packet data 119 and the routing table 117 to generate asummary 121 of sampled packets flowing through the networkinterconnection point 110.

To generate the summary 121, a collector node 116 first converts thesample packet data 119 from the sampling standard(s) used by thesampling agent 114 into a neutral format. For example, sample packetdata 119 in the sFlow format, the Netflow format or the cflowd formatare converted into a neutral format that is commonly used by thecollector nodes 116 (and later the aggregator nodes 118). Typically theneutral format differs from the standard formats, but this is notrequired. In one embodiment, the neutral format is a unified assembly ofspecified units of data from the sample packet data 119 in a format thatis common across all summaries 121 and collector nodes 116. In variousembodiments, after the collector nodes 116 receive sample packet data119 from the sample agents 114, the collector nodes 116 identify each ofthe specified data (e.g., source and destination IP addresses) in thesample packet data 119, extract the data, convert the data into commonunits, as may be necessary, and assemble the data into the neutralformat.

The routing table 117 from a communication node 112 indicates availableroutes over which packets can be sent to reach their destinations. Therouting table 117 includes a list of networks (or prefixes) to which IPaddresses belong that the collector node 116 correlates with destinationIP addresses in the sample packet data 119. In addition to thedestination IP prefixes of routes, the routing table includes AS numbersfor all AS's in the route. In various embodiments, the routing table 117includes information about communities associated with the routes. Acommunity is generally a group of network nodes that have some commonattribute. For example, a community may be a geographic area, such as acity, a country, a continent or a region. Using the community data, thecollector node 116 can map IP addresses in the sampled packet data 119to communities identified in the routing table 117.

The routing table 117 also indicates whether the IP prefixes are inautonomous systems that are customers or not customers of the NSPnetwork 102. In addition, the routing table 117 can include informationabout the destination router associated with each route. By mapping IPaddress data in the sample packet data to corresponding IP prefixes inthe routing table 117, each collector node 116 can generate one or moresummaries 121 of packet flow in the associate NIP 110. In someembodiments the format and contents of the summaries 121, as well as thetiming of generation, are configurable by the user.

In one embodiment, the collector node 116 enriches sample packet datausing the data in the routing table 117. For example, a collector node116 could generate a summary including a mapping of AS numbers to sourceand destination IP addresses of sampled packets. As another example, thecollector node 116 could generate a summary 121 including a mapping ofsource and destination IP addresses to city, country, continent orregion. The summaries 121 may be generated by the collector nodes 116automatically or on demand. For example, the summaries 121 may begenerated periodically (e.g., once daily, weekly or monthly).Alternatively or in addition, summaries 121 may be generated in responseto certain events. For example, summary 121 generation may be triggeredby an increase or decrease in traffic flow that exceeds a set threshold.One exemplary embodiment of enriched sample packet data is shown below:

[nfr]sa:75.126.53.172da:82.206.143.35nh:4.68.122.158ii:66oi:85pa:1oc:46fi:198857563la:198861211sp:80dp:1590fl:0x0pr:6to:0x0ds:12179ss:22351sl:16dl:24BV:default

SR:75.126.0.0116 SN:4.69.185.162 SS:12179 12179 36351 SC:3356:3 3356:223356:100 3356:123 3356:575 3356:2008 DR:82.206.143.0124 DN:4.69.185.2DS:22351 DC:3356:3 3356:22 3356:100 3356:123 3356:575 3356:201022351:4001

The summaries 121 that are generated by the collector nodes 116 are sentto one or more aggregator nodes 118. An aggregator node 118 is operableto apply additional data to the summaries from the networkinterconnection points 110 to generate reports of traffic flow throughthe NSP network 102 as a whole and to further correlate features of thetraffic flow with AS's 104 that interconnect with the NSP network 102.In the illustrated embodiment, the aggregator node 118 uses an ASregistry 120 and customer attributes data 122 to derive othercorrelations between data and further enrich the data in the trafficflow report.

The AS registry 120 provides information about autonomous systemsworldwide. Such AS information can include the AS name, number, country,continent, region, and so on. The aggregator 118 can use the AS registry120, for example, to map AS numbers identified in the summaries 121 toAS names, countries and/or regions. The customer attributes data 122 istypically an internal database of the NSP network 102 that storesvarious types of data about customers of the NSP. The customer data isgathered over time based on the NSP's understanding of the customers.For example, but without limitation, the customer attributes data 122can store customer preferences, historical average traffic volume,interface device types or specifications, as well as customer AS numberswith their associated customer name, which may differ from the publiclyknown name in the AS registry 120.

In some embodiments the aggregator nodes 118 derive statistics, such asa measure of total traffic flow, associated with one or morenetwork-related attribute categories, such as AS's 104, communities,customers, noncustomers, on-net, off-net, peers, application, protocol.In an embodiment, total traffic flow can be determined by extrapolatingthe number of sampled packets associated with a given attributecategory. This extrapolation can involve multiplying the total number ofsampled packets with a particular characteristic (e.g., associated witha particular peer, AS, customer, etc.) with the sampling factor used bythe sampling agent 114.

For example, if the sampling agent 114 samples one packet in every ‘N’packets, and samples 20 packets associated with a particular peernetwork, then the total packet flow attributed to the peer network isderived by multiplying N times 20. As another example, if 50 packets aresampled from a selected AS and 15 packets of the 50 are sent off the ASnetwork and the remainder are sent back on the AS network, N times 15yields the off-net traffic flow, and N times 35 yields the on-nettraffic flow associated with the selected AS. The aggregator nodes 118can generate reports on demand or automatically or both. The reports maybe configured by the user to present certain data in certain ways.Exemplary embodiments of collector nodes, aggregator nodes, and theirfunctions and outputs are discussed further below.

For example, FIG. 2 illustrates an exemplary embodiment of a trafficflow aggregation and reporting system 200 in accordance with theembodiment of FIG. 1. The exemplary system 200 includes four gateways:202 a, 202 b, 202 c, and 202 d. In general, a gateway 202 is a point ofcontact between two networks. The gateways 202 typically, but notnecessarily, perform protocol conversion between the networks. Eachgateway 202 includes multiple routers 204 and two core switches 206. Thenumbers of gateways 202, routers 204, and core switches 206 shown inFIG. 2 are for illustrative purposes only; it will be understood bythose skilled in the art that a typical network may include more orfewer gateways, routers and switches than those shown in FIG. 2.

Each gateway 202 includes two collectors 208. In this particularexample, the collectors 208 are implemented as server computers. In thisembodiment two collectors 208 are provided for redundancy, but ingeneral, more or fewer collectors may be installed at each gateway. Thecollectors 208 at each gateway 202 are coupled to respective coreswitches 206 in the gateway 202. Further, the core switches 206 arecoupled to multiple routers 204. The routers 204 include sampling agentsthat sample packet data that flows through the gateway 202. Eachcollector 208 includes an application that converts and summarizessample packet data from routers 204. In addition, a routing feed existsbetween each core switch 206 and the collectors 208, whereby the routingtables, sample packet data, and/or other data of the routers 204 can besent to the collectors 208. The collectors 208 use the routing tabledata to summarize the sample packet data.

The system 200 includes two aggregators 210 implemented as servercomputers in this particular example. Two aggregators 210 are used herefor redundancy; however, in other implementations more or feweraggregators may be used. The aggregators 210 may or may not begeographically distant from the collectors 208 or each other. Forexample, one aggregator 210 may be located in Atlanta, Ga., and anotherin Denver, Colo. The aggregators 210 use one or more AS registrydatabases 212 and one or more customer attribute databases 214 to mapsampled packet data to other data relevant to marketing, capacityplanning and/or security. For example, data in the sampled packet datamay be mapped to AS's, peer networks, network applications, networkprotocols, customers, geographic regions, and/or communities, such as,but not limited to cities, counties or countries.

FIGS. 3-7 illustrate exemplary reports that may be generated inaccordance with various embodiments. In these embodiments the reportscomprise tables; however, the tables are merely one example of themanner of presentation. In addition to tabular form, traffic flow datacan be presented, for example, by charts (e.g., pie charts, bar charts),graphs (e.g., trend line graphs), text, spreadsheets, and histograms.Such reports can be presented on a computer display, and/or printed onpaper, or other output mechanism. The reports also may be stored infiles and/or sent via email to one or more users.

FIG. 3 a illustrates an exemplary peer outbound distribution report 300.The peer outbound distribution report 300 indicates the traffic volumesent to one or more other peer autonomous systems by a selected peer AS,referred to here as Peer AS ‘n’, The left column 302 of the report 300lists names or other identifiers of peer autonomous systems and theright column 304 lists the corresponding traffic volume sent to theassociated peer AS networks identified in the left column. The volumemay be listed in various units, such as Megabits, Gigabits, or as apercentage of total volume sent by Peer AS ‘n’.

FIG. 3 b illustrates an exemplary peer inbound distribution report 306.The peer inbound distribution report 300 indicates the traffic volumesent to Peer AS ‘n’ from one or more other peer autonomous systems. Theleft column 308 of the report 306 lists names or other identifiers ofpeer autonomous systems and the right column 310 lists the correspondingtraffic volume sent from each of the peer AS's identified in the leftcolumn to the Peer AS ‘n’. The volume may be listed in various units,such as Megabits, Gigabits, or as a percentage of total volume receivedby Peer AS ‘n’.

FIG. 4 a illustrates an exemplary on-net/off-net outbound distributionreport 400. In general the report 400 indicates the traffic volume sentby AS ‘n’ that is also received by AS ‘n’ (on-net) and the trafficvolume sent by AS ‘n’ that is not received by AS ‘n’ (off-net). Forexample, in the case of on-net traffic, the traffic is sent from a node(e.g., an endpoint) on the AS ‘n’ network onto the backbone network, andis directed to a destination node that is also on the AS ‘n’ network, sothe backbone network routes the traffic back onto the AS ‘n’ network. Bycontrast, off-net traffic is sent from the AS network and has adestination on a different AS network, so the backbone network routesthe traffic onto the different AS network. Referring to report 400, theleft column 402 includes designations on-net and off-net. The rightcolumn 404 indicates the volume of traffic sent from the AS ‘n’ networkthat is on-net and off-net, respectively. The volumes in the rightcolumn 404 can be in various units such as Megabits, Gigabits, or as apercentage of total outbound volume.

FIG. 4 b illustrates an exemplary on-net/off-net inbound distributionreport 406. In general the report 406 indicates the traffic volumereceived by AS ‘n’ that is also sent by AS ‘n’ (on-net) and the trafficvolume received by AS ‘n’ that is not sent by AS ‘n’ (off-net). Thereport 406 includes a left column 408 that includes designations on-netand off-net. The right column 410 indicates the volume of trafficreceived by the AS ‘n’ network that is on-net and off-net respectively.The volumes in the right column 410 can be in various units such asMegabits (Mb), Gigabits (Gb), or as a percentage of total inboundvolume.

FIG. 5 a illustrates an exemplary customer outbound distribution report500. In general, the report 500 indicates traffic volume that is sent byan AS (AS ‘n’ in this example) to selected customers of the NSP networkthat carries the traffic. The report 500 includes a left column 502 thatlists customer identifiers (e.g., customer names). The right column 504indicates the traffic volume sent by AS ‘n’ to the respective customersidentified in the left column 502. In the particular example of FIG. 5,the top 10 customers are shown; however, any customers could be selectedfor the report 500.

FIG. 5 b illustrates an exemplary customer inbound distribution report506. In general, the report 506 indicates traffic volume that isreceived by an AS (AS ‘n’ in this example) from selected customers ofthe NSP network that carries the traffic. The report 506 includes a leftcolumn 508 that lists customer identifiers (e.g., customer names). Theright column 510 indicates the traffic volume received by AS ‘n’ fromthe respective customers identified in the left column 508. In theparticular example of FIG. 5, the top 10 customers are shown; however,any customers Could be selected for the report 506.

FIG. 6 a illustrates a report 600 of the AS's associated with thehighest traffic volume on an NSP network. A left column 602 lists AS'sby name (or other identifier). An ‘average volume’ column 604 lists theaverage volume sent or received by the respective AS shown in the leftcolumn 602. A ‘top region’ column 606 lists the region identifier andassociated volume for the region that the associated AS sends to orreceives from. Exemplary regions are Europe, North America or Asia. Thevolume shown in column 606 could be a percentage of total volume or someother units, such as Mb or Gb. An ‘on-net/off-net’ column 608 indicateswhether most of the volume was on the respective AS's network or off therespective AS's network, and what the percentage of volume the on-net oroff-net volume constituted.

In a ‘direction’ column 610 indicates the direction of the majority oftraffic flow relative to the respective AS listed in the left column602. The direction is indicated by the terms ‘source’ (sent from the AS)and ‘sink’ (received by the AS). A ‘next hop AS's’ column 612 identifiesone or more AS's that the traffic flow was sent to in the routing of thetraffic. An ‘upstream’ AS's column 614 identifies one or more AS's thatthe traffic was routed through prior to getting to the respective ASlisted in the left column 602. The next hop AS's and upstream AS's canbe determined from the routing table provided by the router or switch.The AS's can be identified by any relevant identifiers, such as, but notlimited to, a name or number.

FIG. 6 b illustrates an exemplary report 616 of the applications orprotocols associated with the highest traffic volume on an NSP network.Exemplary applications or protocols include, but are not limited to,Internet Protocol Version 4 (or other version), Internet control messageprotocol (ICMP), Internet group multicast protocol (IGMP), gateway togateway protocol, transmission control protocol (TCP), interior gatewayprotocol (IGP), exterior gateway protocol (EGP), universal datagramprotocol (UDP), source demand routing protocol (SDMP), simple mailtransport protocol (SMTP), EIGRP, TCF, and multicast transport protocol(MTP). The left column 618 lists application or protocol identifiers,such as names, acronyms, version numbers, or others.

An ‘average volume’ column 620 indicates the average traffic volumeassociated with the respective application/protocol listed in the leftcolumn 618. Columns 622, 624, 626 and 628 list average region to regionvolumes for selected regions. Specifically an ‘Average EU to EU Volume’column 622 lists the average traffic volume associated with therespective application/protocol that was sent from Europe and receivedin Europe. An ‘Average EU to NA Volume’ column 624 lists the averagetraffic volume associated with the respective application/protocol thatwas sent from Europe and received in North America. An ‘Average NA to EUVolume’ column 626 lists the average traffic volume associated with therespective application/protocol that was sent from North America andreceived in Europe. An ‘Average NA to NA Volume’ column 628 lists theaverage traffic volume associated with the respectiveapplication/protocol that was sent from North America and received inNorth America.

FIG. 7 a illustrates an exemplary report 700 of the trends in volume oftraffic associated with selected applications or protocols. The leftcolumn 702 lists application or protocol identifiers, such as names,acronyms, version numbers, or others. Columns 704, 706, 708, and 710provide trend data for the applications/protocols listed in the leftcolumn 702. For example, an ‘Average Trended (Mb/s)’ column 704 liststhe 1 year trend in average traffic flow in Mb/s for the respectiveapplications/protocol. An ‘Average CAGR (Mb/s)’ column 706 lists thecompound average growth rate in Mb/s for the respectiveapplications/protocol. An ‘Average Trended (%)’ column 708 lists the 1year trend in average traffic flow as a percentage for the respectiveapplications/protocol. An ‘Average CAGR (%)’ column 706 lists thecompound average growth rate as a percentage for the respectiveapplications/protocol.

FIG. 7 b illustrates an exemplary city to city traffic flow report 712.Other reports could show traffic flow from and to other geographic areassuch as countries, continents, or regions. in the left column 714, thedate(s) of the measurement or report are listed. A ‘Source City’ column716 lists one or more source cities from which traffic was sent. A‘Destination City’ column 718 lists destination cities that the trafficwas sent to from the respective source cities in the ‘Source City’column 716. Cities may be identified by name, abbreviation or otheridentifier. An ‘Average Volume’ column 720 indicates the traffic volumesent to the respective destination city by the source city. In thisembodiment, the volume is indicated in units of Mb/s, but other unitscould be used depending on the particular implementation.

The various reports described above and variations of those reports canbe used for marketing analysis, capacity planning, security analysis,and others. For example, a city-to-city traffic flow report (or othergeographic regional flow report) can be used to determine if trafficflow is overloading a gateway at a particular city, or if extrabandwidth is available in the gateway. The peer-to-peer distributionreports or peer-to-customer distribution reports can suggest newservices to provide or whether to increase bandwidth or price for givencustomers or peers. A report that shows the next hop autonomous systemsand upstream autonomous systems can indicate how far traffic istraveling to reach its destination; if traffic is traveling very far(from a topological, logical, or geographical basis) this could suggestthe need for additional bandwidth at different geographic or networklocations.

Exemplary Operations

FIG. 8 is a flowchart illustrating a traffic flow aggregating, mappingand reporting algorithm 800 in accordance with one embodiment. Thealgorithm 800 may be carried out by one or more collector nodes andaggregator nodes discussed above or alternatively on one or more othersystems. The operations shown in the algorithm 800 need not be carriedout in the particular order shown except where order is implied. Theparticular operations and steps included in the operations may berearranged, broken out, or combined with others as may be suitable to aparticular implementation without straying from the scope of theinvention.

In a receiving operation 802, sampled packet data is received. In oneembodiment the sampled packet data includes data from sampled packets,wherein the data is formatted according to a predetermined standardformat. Exemplary formats include, but are not limited to, sFlow format,Netflow format, and cflowd format. The sampled packet data may include,but is not limited to, source IP address, destination IP address, portnumber(s), AS identifier, network application or network protocol.

In a converting operation 804, the sampled packet data is converted to aneutral format. In one embodiment, the converting operation 804 involvesidentifying specified data in the sampled packet data, such as source IPaddress, destination IP address, port number(s), or AS number, andstoring the specified data in fields of a data structure organized inaccordance with the neutral format. The converting operation 804 mayconvert that data to other units or encoding prior to storing the datain the data structure.

In another receiving operation 806, one or more routing tables arereceived from a network node. The routing table(s) set forth a list ofroutes to specified destination IP addresses. The routing table(s) mayalso include community data, such as city, country, continent or regionassociated with the destination IP addresses. The routing table(s) mayfurther indicate AS numbers and/or routers associated with thedestination IP addresses. Further still, the routing table(s) couldindicate whether each of the destination IP addresses are associatedwith a customer of the NSP or not.

In mapping operation 808, destination IP addresses from each of thesampled packet data are mapped to destination prefixes in the routingtables. In an associating operation 810, the community data, AS data,and router data in the routing table(s) are associated with thecorresponding destination addresses.

In an aggregating operation 812, sample packet data and related routingtable data are aggregated from multiple network interconnection points.In one embodiment, AS numbers in the sample packet data are mapped to ASnames found in an AS registry. In some embodiments, customer attributesare mapped to corresponding sample packet data to further enrich thedata. The aggregating operation 812 derives one or more traffic flowmeasurements corresponding to one or more traffic flows through the NSPnetwork. For example, a total flow measurement may indicate totaltraffic flow between one or more peer networks or one or more ASnetworks. In addition, traffic flows between geographic regions can bedetermined. Further still, on-net and off-net traffic flow measurementsmay be determined for one or more peer or AS networks. As yet anotherexample, traffic flows between peers and NSP customers and noncustomerscan be derived in the aggregating operation 812. Numerous other trafficflow measurements may be derived in the aggregating operation 812.

In a generating operation 814, one or more reports are generated thatshow the traffic flow measurements, trends or other traffic flowstatistics associated with traffic flow. Exemplary reports that thegenerating operation 814 could generate are shown in FIGS. 3-7 anddescribed above; however, the types, format, and contents of reports arenot limited to those shown above. In some embodiments, reports aregenerated automatically, on demand or both. The generating operation 814may also send the reports to specified individuals, such as networkadministrators or managers, for analysis.

Exemplary Computing Device

FIG. 9 is a schematic diagram of a computing device 900 upon whichembodiments of the present invention may be implemented and carried out.For example, one or more computing devices 900 may be used to performthe sampling, collecting, aggregating, and reporting operationsdescribed herein. As discussed herein, embodiments of the presentinvention include various steps or operations. A variety of these stepsmay be performed by hardware components or may be embodied inmachine-executable instructions, which may be used to cause ageneral-purpose or special-purpose processor programmed with theinstructions to perform the operations. Alternatively, the steps may beperformed by a combination of hardware, software, and/or firmware.

According to the present example, the computing device 900 includes abus 901, at least one processor 902, at least one communication port903, a main memory 904, a removable storage media 905, a read onlymemory 906, and a mass storage 907. Processor(s) 902 can be any knownprocessor, such as, but not limited to, an Intel® Itanium® or Itanium 2®processor(s), AMD® Opteron® or Athlon MP® processor(s), or Motorola®lines of processors. Communication port(s) 903 can be any of an RS-232port for use with a modem based dialup connection, a 10/100 Ethernetport, a Gigabit port using copper or fiber, or a USB port. Communicationport(s) 903 may be chosen depending on a network such a Local AreaNetwork (LAN), Wide Area Network (WAN), or any network to which thecomputing device 900 connects. The computing device 900 may be incommunication with peripheral devices (not shown) such as, but notlimited to, printers, speakers, cameras, microphones, or scanners.

Main memory 904 can be Random Access Memory (RAM), or any other dynamicstorage device(s) commonly known in the art. Read only memory 906 can beany static storage device(s) such as Programmable Read Only Memory(PROM) chips for storing static information such as instructions forprocessor 902. Mass storage 907 can be used to store information andinstructions. For example, hard disks such as the Adaptec® family ofSCSI drives, an optical disc, an array of disks such as RAID, such asthe Adaptec family of RAID drives, or any other mass storage devices maybe used.

Bus 901 communicatively couples processor(s) 902 with the other memory,storage and communication blocks. Bus 901 can be a PCI/PCI-X, SCSI, orUSB based system bus (or other) depending on the storage devices used.Removable storage media 905 can be any kind of external hard-drives,floppy drives, IOMEGA® Zip Drives, Compact Disc-Read Only Memory(CD-ROM), Compact Disc-Re-Writable (CD-RW), Digital Video Disk-Read OnlyMemory (DVD-ROM).

Embodiments of the present invention include various steps, which aredescribed in this specification. The steps may be performed by hardwarecomponents or may be embodied in machine-executable instructions, whichmay be used to cause a general-purpose or special-purpose processorprogrammed with the instructions to perform the steps. Alternatively,the steps may be performed by a combination of hardware, software and/orfirmware.

Embodiments of the present invention may be provided as a computerprogram product, which may include a machine-readable medium havingstored thereon instructions, which may be used to program a computer (orother electronic devices) to perform a process. The machine-readablemedium may include, but is not limited to, floppy diskettes, opticaldisks, compact disc read-only memories (CD-ROMs), and magneto-opticaldisks, ROMs, random access memories (RAMs), erasable programmableread-only memories (EPROMs), electrically erasable programmableread-only memories (EEPROMs), magnetic or optical cards, flash memory,or other type of media/machine-readable medium suitable for storingelectronic instructions. Moreover, embodiments of the present inventionmay also be downloaded as a computer program product, wherein theprogram may be transferred from a remote computer to a requestingcomputer by way of data signals embodied in a carrier wave or otherpropagation medium via a communication link (e.g., a modem or networkconnection).

Various modifications and additions can be made to the exemplaryembodiments discussed without departing from the scope of the presentinvention. For example, while the embodiments described above refer toparticular features, the scope of this invention also includesembodiments having different combinations of features and embodimentsthat do not include all of the described features. Accordingly, thescope of the present invention is intended to embrace all suchalternatives, modifications, and variations together with allequivalents thereof.

What is claimed is:
 1. A method for analyzing traffic in acommunications network, the method comprising: sampling data packets ata plurality of network interconnection points; enriching the sampledpacket data by mapping IP addresses of the sampled packet data tocorresponding IP prefixes associated with a plurality of networkscommunicating over the communications network; and aggregating theenriched sampled packet data to yield aggregated traffic flow measuresassociated with one or more of the networks.